PE-sieve (previously known as Hook Finder) is open source tool based on libpeconv.
It scans a given process, searching for manually loaded or modified modules. When found, it dumps the modified/suspicious PE along with a report in JSON format, detailing about the found indicators.
Currently it detects inline hooks, hollowed processes, Process Doppelgänging, injected PE files etc. In case if the PE file was patched in the memory, it gives a detailed report about where are the changed bytes (and few other properties).
The tool is under rapid development, so expect frequent updates.
PE-sieve is available in 2 versions – as standalone executable, and as a DLL. The DLL version became a base of my other project: HollowsHunter – that makes an automated scan of all the running processes. More about it in the further part of the post.
Where to get it?
The tool is open-source, available on my github:
https://github.com/hasherezade/pe-sieve
Usage
It has a simple, commandline interface. When run without parameters, it displays info about the version and required arguments:
When you run it giving a PID of the running process, it scans all the PE modules in its memory (the main executable, but also all the loaded DLLs). At the end, you can see the summary of how many anomalies have been detected of which type.
In case if some modified modules has been detected, they are dumped to a folder of a given process, for example:
Short history & features
Detecting inline hooks and patches
I started creating it for the purpose of searching and examining inline hooks. You can see it in action here (old version):
It not only detects that there IS an anomaly/patch, but also WHERE exactly it is. For each dumped PE where the patches were found, it creates a file with tags, that can be loaded by PE-bear.
Thanks to this, we can easily browse the found hooks and check the code that was overwritten.
For example – in the application presented above, the Entry Point was patched and the execution was redirected to the added, malicious section:
Detecting hollowed processes
Later, I extended it to detect process hollowing etc – and it turned out to be pretty convenient unpacker:
Detecting Process Doppelgänging
In a similar manner, it can detects some other methods of impersonating a processes, for example Process Doppelgänging. The malicious payload is directly dumped and ready to be analyzed:
Recovering erased imports
PE-sieve has an ability to recover erased imports. In order to enable it, deploy it with appropriate option. Example – unpacking manually loaded payloads with imports erased (Emotet):
Future development
The project is still not finished and I have many ideas how to make it better. I am planning to detect not only code modifications, but also other types of hooking, such as IAT and EAT patching.
Some in-memory patches are done by legitimate applications, so, in the future version I will provide capability of whitelisting defined patches.
I am also planning to extend its dumping capabilities against the malicious processes that are trying to defend themselves against dumpers etc.
PE-sieve as a DLL
During the development process I got an idea to make a DLL version of the PE-sieve, so that it can be incorporated in other projects.
Building PE-sieve from sources as a DLL is very easy – you just need to set one CMake option: PE_SIEVE_AS_DLL:
The PE-sieve DLL exposes a minimalistic API. Two functions are exported:
- PESieve_help – displays a short info and the version of the DLL.
- PESieve_scan – a typical scan with a given parameters, like in the PE-Sieve.exe
The necessary headers needs to be included from the folder “pe-sieve\include“:
https://github.com/hasherezade/pe-sieve/tree/master/include
I have plans to enrich the API in the future. For now, you can see the PE-sieve DLL in action in the HollowsHunter project.
Ideas? Bugs?
If you noticed bug or have an idea for a useful feature, don’t hesitate to mail me or create a Github issue – I check them regularly: